EP0104858A2 - Wiederinbetriebnahme eines Fernprozessors nach dessem Ausfall - Google Patents

Wiederinbetriebnahme eines Fernprozessors nach dessem Ausfall Download PDF

Info

Publication number
EP0104858A2
EP0104858A2 EP83305482A EP83305482A EP0104858A2 EP 0104858 A2 EP0104858 A2 EP 0104858A2 EP 83305482 A EP83305482 A EP 83305482A EP 83305482 A EP83305482 A EP 83305482A EP 0104858 A2 EP0104858 A2 EP 0104858A2
Authority
EP
European Patent Office
Prior art keywords
reset
board
control board
processors
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP83305482A
Other languages
English (en)
French (fr)
Other versions
EP0104858A3 (de
Inventor
Curtis Burton Downing
Anthony Michael Federico
Stephen P. Wilczek
Raymond Robb Husted
Richard T. Ziehm
Michael Edson Edmunds
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xerox Corp
Original Assignee
Xerox Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xerox Corp filed Critical Xerox Corp
Publication of EP0104858A2 publication Critical patent/EP0104858A2/de
Publication of EP0104858A3 publication Critical patent/EP0104858A3/de
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0428Safety, monitoring
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0421Multiprocessor system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1417Boot up procedures
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24114Continue program if crashed microprocessor, program module is not crucial
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25232DCS, distributed control system, decentralised control unit
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25381Restart program at predetermined position, crash recovery after power loss

Definitions

  • This invention relates to a multiprocessor machine control, and in particular, to a machine control providing recovery from the crash of one of the processors.
  • a software abnormality or crash or other previously unrecoverable control system previously unrecoverable control system malfunction will necessitate a resetting and checking of the control system.
  • resetting the system it is known to be able to selectively reset each of the individual microprocessors.
  • the particular processor manifesting the crash fails reset, the machine would not operate. That is, for example, a hardware failure in the particular processor inhibiting reset would usually terminate machine operation. If, however, the particular processor failing reset was not crucial to machine operation, the reset failure would lead to unnecessary machine down time.
  • an object of the present invention to provide a new and improved multiprocessor machine control system. It is a further object of the present invention to provide a control system in a multiprocessor environment in which processor failing reset can be ignored by the remaining multiprocessor control and machine operation continued. In addition, it is an object of this invention to allow a single processor to crash and recover, with or without a reset.
  • the present invention is a multiprocessor machine control system in which the failure of one of the processors to reset can be ignored by the rest of the control system.
  • a software crash or other abnormality on one of the processors will generate a reset procedure. If the processor cannot be reset, this will indicate a processor board failure such as a hardware failure. If the processor and its controlled elements are not crucial to the machine operation, then the control will ignore the failed processor as though it were not in the control system, and continue with machine operation.
  • an electrophotographic printing or reproduction machine employing a belt 10 having a photoconductive surface.
  • Belt 10 moves in the direction of arrow 12 to advance successive portions of the photoconductive surface through various processing stations, starting with a charging station including a corona generating device 14.
  • the corona generating device charges the photoconductive surface to a relatively high substantially uniform potential.
  • the charged portion of the photoconductive surface is then advanced through an imaging station.
  • a document handling unit 15 positions an original document 16 facedown over exposure system 17.
  • the exposure system 17 includes lamp 20 illuminating the document 16 positioned on transparent platen 18.
  • the light rays reflected from document 16 are transmitted through lens 22.
  • Lens 22 focuses the light image of original document 16 onto the charged portion of the photoconductive surface of belt 10 to selectively dissipate the charge. This records an electrostatic latent image on the photoconductive surface corresponding to the informational areas contained within the original document.
  • Platen 18 is mounted movably and arranged to move in the direction of arrows 24 to adjust the magnification of the original document being reproduced.
  • Lens 22 moves in synchronism therewith so as to focus the light image of original document 16 onto the charged portion of the photoconductive surface of belt 10.
  • Document handling unit 15 sequentially feeds documents from a holding tray, in seriatim, to platen 18. The document handling unit recirculates documents back to the stack supported on the tray. Thereafter, belt 10 advances the electrostatic latent image recorded on the photoconductive surface to a development station.
  • a pair of magnetic brush developer rollers 26 and 28 advance a developer material into contact with the electrostatic latent image.
  • the latent image attracts toner particles from the carrier granules of the developer material to form a toner powder image on the photoconductive surface of belt 10.
  • belt 10 advances the toner powder image to the transfer station.
  • a copy sheet is moved into contact with the toner powder image.
  • the transfer station includes a corona generating device 30 which sprays ions onto the backside of the copy sheet. This attracts the toner powder image from the photoconductive surface of belt 10 to the sheet.
  • the copy sheets are fed from a selected one of trays 34 or 36 to the transfer station.
  • conveyor 32 advances the sheet to a fusing station.
  • the fusing station includes a fuser assembly for permanently affixing the transferred powder image to the copy sheet.
  • fuser assembly 40 includes a heated fuser roller 42 and backup roller 44 with the sheet passing between fuser roller 42 and backup roller 44 with the powder image contacting fuser roller 42.
  • conveyor 46 transports the sheets to gate 48 which functions as an inverter selector.
  • gate 48 the copy sheets will either be deflected into a sheet inverter 50 or bypass sheet inverter 50 and be fed directly onto a second gate 52.
  • Decision gate 52 deflects the sheet directly into an output tray 54 or deflects the sheet into a transport path which carries them on without inversion to a third gate 56.
  • Gate 56 either passes the sheets directly on without inversion into the output path of the copier, or deflects the sheets into a duplex inverter roll transport 58.
  • Inverting transport 58 inverts and stacks the sheets to be duplexed in a duplex tray 60.
  • Duplex tray 60 provides intermediate or buffer storage for those sheets which have been printed on one side for printing on the opposite side.
  • the previously simplexed sheets in tray 60 are fed seriatim by bottom feeder 62 back to the transfer station for transfer of the toner powder image to the opposed side of the sheet.
  • Conveyers 64 and 66 advance the sheet along a path which produces a sheet inversion.
  • the duplex sheets are then fed through the same path as the previously simplexed sheets to be stacked in troy 54 for subsequent removal by the printing machine operator.
  • the cleaning station includes a rotatably mounted brush 68 in contact with the photoconductive surface of belt 10.
  • a controller 38 and control panel 86 are also illustrated in Figure 1.
  • the controller 38 as represented by dotted lines is electrically connected to the various components of the printing machine.
  • controller 38 illustrated in Figure 1.
  • a central processing master (CFM) control board 70 for communicating information to and from all the other control boards in particular the paper handling remote.
  • PHR control board 72 controlling the operation of all the paper handling subsystems such as paper feed, registration and output transports.
  • control boards are the xerographic remote (XER) control board 74 for monitoring and controlling the xerographic process, in particular the analog signals, the marking and imaging remote (MIR) control board 76 for controlling the operation of the optics and xerographic subsystems, in particular the digital signals.
  • a display control remote (DCR) control board 78 is also connected to the CPM control board 70 providing operation and diagnostic information on both an alphanumeric and liquid crystal display. Interconnecting the control boards is a shared communication line 80, preferably a shielded coaxial cable or twisted pair with suitable communication protocol such as the Xerox Ethernet communication system (Ethernet is a registered trade mark).
  • RDHR Recirculating Document Handling Remote
  • SADHR Semi-Automatic Document Handler Remote
  • SOR Sorter Output Remote
  • FOR Finisher Output Remote
  • Each of the controller boards preferably includes an Intel 8085 microprocessor with suitable Random Access Memory (RAM) and Read Only Memory (ROM). Also interconnected to the CPM control board is a Master Memory Board (MMB) 84 with suitable ROMs to control normal machine operation and a control panel board 86 for entering job selections and diagnostic programs. Also contained in the CPM board 70 is suitable nonvolatile memory. All of the control boards other than the CPM control board are generally referred to as remote control boards.
  • RAM Random Access Memory
  • ROM Read Only Memory
  • MMB Master Memory Board
  • All of the control boards other than the CPM control board are generally referred to as remote control boards.
  • the control panel board 86 is directly connected to the CPM control board 70 over a 70 line wire and the memory board 84 is connected to the CPM control board 70 over a 36 line wire.
  • the Master Memory Board 84 contains 56K byte memory and the CPM control board 70 includes 2K ROM, 6K RAM, and a 512 byte nonvolatile memory.
  • the PHR control board 72 includes 1K RAM and 4K ROM and handles 29 inputs and 28 outputs.
  • the XER control board 74 handles up to 24 analog inputs and provides 12 analog output signals and 8 digital output signals and includes 4K ROM and 1K. RAM.
  • the MIR board 76 handles 13 inputs and 17 outputs and has 4K ROM and 1K RAM.
  • the PHR, XER and MIR boards receive various switch and sensor information from the printing machine and provide various drive and activation signals, such as to clutches, motors and lamps in the operation of the printing machine. It should be understood that the control of various types of machines and processes are contemplated within the scope of this invention.
  • a master timing signal is generated by PHR board 72 and used by the CPM, PHR, MIR and XER control boards 70, 72, 74 and 76.
  • the Pitch Reset (PR) signal is generated in response to a sensed registration finger.
  • Two registration fingers 90a, 90b on conveyor or registration transport 66 activate a not shown suitable sensor to produce the registration finger or pitch reset signal.
  • the registration finger or pitch reset signal is conveyed to suitable control logic on the Paper Handler Remote control board 72.
  • a Machine Clock signal (MCLK) is conveyed to the Paper Handling Remote 72 via the CPM remote board 70 to the same control logic.
  • the timing reset pitch reset signal is conveyed to the CPM board 70 and the XER and the MIR remotes 74, 76.
  • the machine clock signal is generated by a timing disk 92 or machine clock sensor connected to the main drive of the machine. The clock sensor signal allows the remote control boards to receive actual machine speed timing information.
  • the timing disk 92 rotation generates 1,000 machine clock pulses every second.
  • a registration finger sensed signal occurs once for every registration finger sensed signal as shown in Figure 3.
  • a belt hole pulse is also provided to synchronize the seam on the photoreceptor belt 10 with the transfer station to assure that images are not projected onto the seam of the photoreceptor belt.
  • these benchmarks include monitoring that the number of tasks or procedures to be completed by the control system is not beyond the capacity of the control system to respond. Another benchmark would be to determine that the communication system has more than the expected number of requests to be made and would be forced to drop or ignore further requests.
  • any complex control system has numerous limits. When these limits are exceeded either because of a malfunction, software error, or because of the nondeterministic nature of real time control, the control system is in danger of erroneous operation. In prior systems, one of the following actions happen:
  • the recognition of the fault can provide valuable control information.
  • the response to a fault detection Fault information is recorded and available for Tech Rep diagnostics or to maintain machine operation.
  • the isolation of the fault to a particular control board (block 102). This information is recorded in nonvolatile memory for later use by the Tech Rep.
  • the next step is to monitor a crash display enable flag in nonvolatile memory (block 105). If the flag is not set, the control will proceed with a control board reset procedure (block 106). If the flag is set, the machine enters a crash display routine (block 107). The crash display enable flag or location in nonvolatile memory is set by the Tech Rep to place the machine in the display mode. Once in the display mode, the Tech Rep can examine RAM, nonvolatile memory, and other registers to provide valuable diagnostic information.
  • the fault is in one of the control boards and that particular control board fails reset. That is, there is a hardware failure related to the particular control board causing the crash. However, if it is a noncritical hardware component, that is, if the failed component is not crucial to machine operation or control, machine operation can continue either unaffected or only slightly degraded.
  • the failed control board controls a display that is not essential to the operation of the machine
  • the control board and display can be ignored by the rest of the control system until the control board has recovered.
  • Machine operation can continue without the use of the device controlled by the failed board.
  • this situation would be noticed by the operator since the display would be blank for a few seconds until it had recovered.
  • the final level of machine operation response, block 112 is the indication of a crash or failure of a control board that cannot be reset and it is critical to the machine operation. This can be termed a critical hardware failure. At this point the machine must be stopped and corrective action taken such as a jam clearance. At this particular level, in response to the software crash or malfunction, the machine can be cleared and totally recovered. That is, the parameters of the interrupted job remain intact. These parameters are saved and restored for the machine to continue on with the job in progress at the point of the malfunction. It should be noted that each of the levels of response is a further feature of the present invention and will be described in more detail.
  • various errors and faults are recorded by the CPM board 70 ( Figure 4, block 100). These faults are conveyed by the CPM board to the control panel 86 for display. With reference to Figure 5, a preferred embodiment of control panel 86 is illustrated. There is also shown a display panel 120. The control panel 86 is electrically coupled to the CPM board. The display panel 120 is electrically coupled to the DCR remote control board 78.
  • the control panel 86 allows an operator to select copy size (button 122), copy contrast (button 124), number of copies to be made (keys 126), and the simplex or duplex mode (button 128). Also included on panel 86 are a start button 130, a stop button 132, an eight character 7 segment display 134, a three character 7 segment display 136, and a job interrupt button 138. The displays 134, 136 provide the operator and Tech Rep with various operating and diagnostic information.
  • the display panel 120 informs the operator of the status of the machine and can be used to prompt the operator to take corrective action in the event of a fault in machine operation.
  • the display panel 120 includes a flip chart 140, a Liquid Crystal Display (LCD) 142, an alphanumeric display 144 and a "Power On" button 146.
  • LCD Liquid Crystal Display
  • a coarse code is provided, giving the reason for the crash.
  • This coarse code will be automatically displayed on the control panel 86 on display 134 if the machine has been so programmed by the Tech Rep in NUM; i.e. the crash display flag is enabled.
  • the coarse codes generally identify the particular control board that failed.
  • a fine code is used to indicate in more detail the cause of the failure of a particular control board.
  • the fine code is obtained by pressing the stop key 132 and looking at the right most two digits on the display 134 on the control panel 86.
  • the fine code error code
  • the fine code will be displayed in hexadecimal on the control panel 86.
  • a decimal value of the fault code is found in nonvolatile memory using a diagnostics procedures.
  • Typical of coarse codes would be X'1F' or decimal 31 indicating a CPM board 70 fault. That is, an error occurred on the CPM board 70. The fine code is then used for the specific error.
  • Another example of a coarse code would be X'5F' or decimal 95 indicating no acknowledgement from the XER board 74. That is, the CPM board 70 sent a message to the XER board 74 and after three retransmissions of the message, the XER board failed to acknowledge receiving any of them.
  • the coarse code and a fine code together describe the failure.
  • the coarse code is X'5F' and the fine code is X'OA'
  • the XER board 74 failed and the specific failure was a timer failure.
  • Various other Fine Crash Codes are listed in Appendix A.
  • the first level of the Tech Rep response to a fault indication, block 102 as shown in Figure 4, is to isolate the particular control board having the fault. This information is recorded in nonvolatile memory.
  • one of the control boards in particular, the CPM control board 70, is designated as the master. All the other processors or control boards report their faults to the master. In other words, failures to communicate over the shared line by a particular remote control board or failure, such as a timer failure on a particular remote board, generates an error signal conveyed to the CPM board.
  • the CPM control board 70 When the CPM control board 70 receives a fault message, it will record the type of fault and the source of the message in suitable memory locations, preferably in nonvolatile memory. This data is preserved for Tech Rep diagnostics. It will also time stamp the fault so that the first fault message is identified. That is, the CPM board will check Machine Clock pulses and record the count along with the error message.
  • the master or CPM board 70 will transmit a message to itself. That is, the CPM board 70 will transmit a message to itself that simulates a message being received by the CPM board over the shared communication line. This will verify whether the master's communication channel is valid, in particular to verify the CPM board's receiver circuitry. This is done to identify the case that the remote control board sent a valid response, but the CPM board did not receive it. In this case, the master or CPM board 70 will be identified as being faulty.
  • This provides the means to collect fault information as a remote control board begins to fail. It is particularly valuable in identifying the first of a possibly linked series of subsystem failures that can be traced to the first board to send a fault message.
  • each controller board has designated counters or storage locations in nonvolatile memory. These counters enable the control system to record the fault history of each control board. This is the second level of diagnostics shown as block 104 in Figure 4.
  • Each of the control boards has one counter designated in nonvolatile memory to record instances of malfunctions or crashes. Another counter records instances of machine crashes during machine run or operation.
  • each of the control boards specifically the CPM, RDH, MIR, XER, DCR, and PHR, boards.
  • the counters are illustrated as being on the various control boards. However, in a preferred embodiment, all counters are located in nonvolatile memory on the CPM board 70. Since crashes can be reset and the machine can then run again, there will probably be several crashes before the Tech Rep actually services the machine.
  • Counter 1 is associated with each of the control boards to record crashes for that particular control board during both standby and machine run.
  • Counter 2 although illustrated for each control board, in the preferred embodiment is actually only one counter to record all instances of crashes during machine run only. It is a cumulative count of crashes for all boards.
  • the Tech Rep preferably only clears those nonvolatile memory locations associated with control boards having problems corrected by the Tech Rep. In this manner, the system can be used to record problems only occurring on an infrequent basis then the control can record and have available problems that it had even if only on a very infrequent basis. It is possible to distinguish intermittent control board problems from intermittent problems that are not associated with the control boards, such as noise. Nonboard problems such as noise and software design errors are usually caused during machine running.
  • a failure during both power up and machine run is a good indication of board failure.
  • the board failure could be either the board itself or, under rare circumstances, the software associated with the board.
  • a problem, even though intermittent, is observed during run. This is a strong indication of noise or some intermittent running problem. That is, nonboard problems are usually caused by noise from some machine component when it is running.
  • fault recording (block 104, Figure 4) need not necessarily occur before the reset of the control boards. It could occur, for example, after reset and restoration of parameters, i.e. after block 112.
  • a control system software crash means that the system is not functioning correctly.
  • the usual response is to reset or re-initialize the system.
  • various registers are cleared, in particular various Random Access Memory locations are re-initialized.
  • RAM locations often contain information on the nature and type of a particular software crash.
  • an automatic reset disable feature allows a Tech Rep to place the machine into the crash display mode if a crash occurred.
  • the automatic reset is disabled through a suitable switch.
  • forcing the system software to crash can be a valuable diagnostic tool. For example, if the Tech Rep suspects a software problem, he can force the machine to software crash and then interrogate various RAM locations for crash related information.
  • the CPM board 70 may have an incorrect value in memory. It may be that the system can reset and ignore the problem temporarily. However, the problem may occur relatively frequently. Suspecting a problem, the Tech Rep will begin to isolate the cause. The Tech Rep will first verify the operation of the microprocessors and the RAM controls. The Tech Rep can then force the machine into a software crash and display the contents of RAM. The display of the RAM contents will occur after the reset of all the boards except the CPM board 70.
  • the Tech Rep using a special routine, sets a predetermined nonvolatile memory location to a certain value. This causes a display of software crash if a crash occurs. If a crash occurs, the display 134 on control panel 86 will show the word "error" on the lefthand side of the display 134. Various two digit code numbers on the right of the display represent the processor board where the failure occurred.
  • the Tech Rep has the capability to read the content of RAM locations.
  • Certain control panel buttons then provide the Tech Rep with certain capabilities. For example, with the stop print 132 button initially pushed, the control panel display 134 will show the location of the address of the crash code on the left with the contents of that location on the right. The location is correctly defined as "ElEO”. Further actuation of this button will increment the lower byte addresses, displaying the new location and its contents.
  • the error 1F/81 indicates an invalid activation address on the CPM board.
  • This error results from a task trying to execute in an area of memory not intended for execution (for example, input/output ports, vector address area, RAM and nonvolatile memory).
  • the error occurs as a task is about to jump to its next instruction. This means that the task must have already put the bad address in its Task Control Buffer before the execution was attempted.
  • the Tech Rep fills out the Task Control Buffer (TCB) information for the currently running task.
  • the Task Control Buffer (TCB) is a RAM table that merely contains information relative to a particular task that is being executed. Such information includes data and priority information for relationships to other tasks.
  • the currently running task is found in $CURRENT ID which is at address F361.
  • the Tech Rep can make certain judgements. In particular, he can predict if the problem is noise and check the connectors, or if the values that he reads are within a certain range, it might indicate a software problem. As an example of how the Tech Rep relates various address locations with various information reference is made to Figure 7.
  • Each task receives its parameters in a stack called the correspondence or byte stack.
  • a pointer to the first element in the stack is found in the Task Control Buffer (TCB) table or pointer starting at EEAO.
  • TBC Task Control Buffer
  • To get the pointer of task X look at memory location EEAO + X. This pointer is the least significant value of the address of the first element in the stack. The most significant byte of the address is hexadecimal address 'EE'.
  • the contents of memory location EFOO + X contains the data for that element of the stack.
  • the correspondence stack (2, 11, ID, 96, 1, A, A) (top to bottom) might look as shown in Figure 7 if it were the stack for task 12.
  • Each task also has a word stack, which is used for saving information while the task is running. It uses the same format as the correspondence stack, except that there are two data fields (one for the least significant byte of the word, and one for the most significant byte). Typically, there will be only one or two entries on the stack.
  • the address for the TCB word stack pointer starts at EFAO, and the stack is located at F9XX, FAXX and FBXX.
  • one of the processors or control boards is given the role of a master control from the standpoint of simultaneously resetting the other controller boards, Figure 4, block 106.
  • the master control issues a global reset signal. This signal goes automatically to each of the other processors or control boards in the system.
  • the global reset signal will resynchronize the other processors or control boards in the system back to a normal state of operation. Since many of the abnormalities and system software crashes are transient, the multiprocessor system is reset and the system continues to function without requiring any manual power up or other resetting.
  • the CPM control board 70 is given the role of master control for resetting the other control boards.
  • the reset circuitry provides suitable reset signals to the PHR, XER, MIR, DCR and RDHR, control boards 72, 74, 76, 78 and 82.
  • the reset circuitry holds the other control boards reset during the normal power up and power down operations. This allows the CPM contol board 70 to insure its proper operation before it allows the other control boards in the system to start their normal operation. Thus, if the CPM board detects its own operational problem, it can hold the remaining control boards in a safe condition.
  • the reset control includes an 8085 reset signal from the Intel 8085 microprocessor on the CPM control board 70.
  • the 8085 signal, set to 0, is fed to a buffer B to gate the transistor driver T.
  • the transistor T provides a suitable reset signal simultaneously to each of the control boards through suitable resistor networks.
  • the transistor T is shown providing the RST$PHR, RST$RDHR, RST$DCR, RST$MIR, and RST$XER signals.
  • a reset signal spare. SPR is provided for any additional control boards that may be added to the system.
  • the master controller (CPM board 70) in the multiprocessor system provides for the selective resetting of the other individual control boards in the system.
  • CCM board 70 the master controller in the multiprocessor system
  • CPM control board 70 with reset lines to the PHR board 72, the XER board 74, the MIR board 76, the DCR board 78 and the RDHR board 82.
  • reset circuitry 140 on CPM control board 70 controls the reset of the PHR control board 72
  • reset circuitry 142 controls the reset of the DCR control board 78
  • reset circuitry 144 controls the reset of the RDHR control board 82.
  • reset circuitry 146 controls the resetting of the MIR control board 76
  • reset circuitry 148 controls the resetting of the XER control board 74.
  • Figure 10a illustrates the reset circuitry 140 on CPM board 70.
  • the reset circuitry includes the Intel 8085 reset signal to buffer B, in turn driving transistor drive T to provide a separate reset signal RST$PHR to the PHR control board 72.
  • Reset circuitry 142 as shown in Figure 10b includes the 8085 reset signal to a separate buffer B, in turn driving its own transistor driver T to provide a separate reset signal RST$CDR to the DCR control board 78.
  • separate reset circuitry shown in Figures lOc, 10d and 10e provides suitable separate reset signals to the RDHR, MIR and XER boards 82, 76 and 74.
  • the CPM control board then resets this one remote control board individually. If the remote control board is not functioning properly, the CPM board can hold the one remote board in reset.
  • the CPM board 70 writes information Into a small portion of the nonvolatile memory.
  • the low voltage power supply is conveying power to the nonvolatile memory 88 and charging the battery.
  • the nonvolatile memory is relying on the battery to hold its contents. 4
  • the information in ROM in the CPM board 70 that is written into the nonvolatile memory is compared. If the two memories do not match, a battery fault status code is declared. Also, the CPM board 70 writes a small portion of information into nonvolatile memory and then reads the same information. If the information is not matched, a nonvolatile memory fault code is declared.
  • the CPM board 70 conveys a reset signal to all the remote control boards 72, 74, 76, 78, and 82 to start the self test of each of the remotes.
  • each remote simultaneously starts its own self test checking for a remote control board processor fault, an input circuit fault or an output circuit fault.
  • a processor or control board fault is declared when a remote control board cannot communicate with the CPM board 70. That is, the control logic on the remote control board cannot perform its basic test of its hardware devices. There is also a DC input self test to verify operation of the DC input circuitry on all the remotes and a DC output self test to verify the DC output circuits on all the remote control boards.
  • a shared communication line 80 test to test the shared communication line logic on the CPM board 70, the shared communication logic on the remote control boards and the shared communication logic cable.
  • the CPM board 70 attempts to send and receive a signal to and from each of the remotes in sequence.
  • the CPM board 70 successfully sends and receives signals from the remote control boards, the CPM board 70, the remote control boards and the shared communication line 80 are verified.
  • the failure of a remote control board to reset does not necessarily inhibit machine operation (block 110 of Figure 4).
  • the particular control board failing reset is not critical to the overall machine operation, the machine continues operation. The machine continues operation even though the particular board is not operational.
  • the DCR control board 78 is an example of a control board that is not crucial to machine operation.
  • a flag or crash enable byte is set in nonvolatile memory.
  • the application software will monitor the flag to determine if it is necessary to go to crash display routine for the Tech Rep or not. This is done by the CPM board 70 looking at the crash enable byte in nonvolatile memory.
  • the CPM board 70 will reset all remotes, including DCR and goes to crash display routine with a message "Error 8F".
  • the CPM board will attempt to communicate with the DCR board 78 by polling the DCR board. If the communication is successful, the CPM board 70 will send for DCR board status and allow normal communication to the DCR. If the communication is not completed, no further communication will be allowed to the DCR board and the machine will continue to run as though the DCR does not exist.
  • the DCR operating system will send status messages to the CPM board for the following two conditions:
  • the DCR recovery strategy follows the following sequence:
  • the DCR board 78 may never be reset and the messages will never be displayed.
  • the DCR board may be recovered.
  • the system will initialize and update all messages that were initially lost.
  • the messages that had been saved in the CPM RAM will finally be dumped into the DCR board RAM table.
  • the DCR will then display the most valid or current message to the display.
  • the final level in machine recovery is to completely restore the interrupted job after a critical software crash or failure. This type of crash recovery can be considered full job recovery after a system crash.
  • the machine resets itself, and with some operator intervention, job integrity is preserved ( Figure 4, block ll2).
  • one of the processors of a multiprocessor control again assumes the roll of the master controller.
  • the CPM board 70 is the master controller.
  • a software flag typically a bit in the memory could be monitored. This flag would indicate to the CPM board 70 that there should be no destruction of the contents of the random access memories. This monitoring would be done prior to any initiation or reset sequence of the control boards.
  • the CPM board 70 would indicate to itself not to destroy the contents of RAM location that contained the necessary parameters. These would be the parameters needed to place the CPM board and the other control boards into the same state as before the occurrence of the crash. In other words, the CPM board 70 would reset the other control boards using the standard diagnostic and checking procedures, but would retain the information in RAM locations necessary to recover the other control boards with the appropriate information in tact.
  • the primary purpose of crash recovery is to maintain job integrity by saving the essential variables to be able to continue the job after the crash.
  • the essential variables are such things as the selected information from the control panel such as quantity selected, magnification ratio, two- sided copying and copy quality.
  • Other essential information is state and status information of the machine at the time of the crash.
  • the most reliable means to preserve this information is to store these variables in nonvolatile memory rather than RAM and to continually update the information in nonvolatile memory as it changes.
  • all the control boards automatically perform job recovery and all key information is continually updated in nonvolatile memory.
  • all key information is continually updated in nonvolatile memory.
  • the job progresses according to the following re-initialization procedure. If a recirculating handler is in the system, then the RDHR control board 82 receives a fault signal from the CPM control board 70 that there is a crash. The RDHR control board 82 then immediately declares a fault, A10, that instructs the operator to remove and reorder the documents in the document handler.
  • the CPM board 70 Operating System has reset and re-initialized all the remote control boards, in particular clearing all of the information stored in RAM.
  • the Operating System restores the relevant variables in the nonvolatile memory 88 on the CPM board 70 to the appropriate RAM locations on the remote boards.
  • the CPM board 70 updates the control panel 86 with the job selected parameters at the time of the crash and restores the remote control board status.
  • the RDHR board 82 is told the number of originals in a set and the CPM board 70 instructs the RDHR board 82 to cycle the sheets until the correct sheet is on the platen.
  • Other restored information would be, for example, the number of sheets already delivered to a sorter, along with the bin number to start additional sorting if necessary. Note that in a preferred embodiment, there are approximately 116 variables deemed necessary to be used for crash recovery and automatically updated in nonvolatile memory as required.
  • a software crash occurs in a standby mode, the machine is reset and the control panel is refreshed unchanged. If stop print has been pushed and the machine has cycled down, recovery is identical.- If a software crash occurs in the middle of the second job during a job interrupt, crash recovery is identical to a noninterrupt job. In particular, the second job continues where it left off as if no software crash occured. After completion of the second job, the interrupted job with its variables stored in nonvolatile memory continues from where it was interrupted.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • Hardware Redundancy (AREA)
  • Retry When Errors Occur (AREA)
  • Safety Devices In Control Systems (AREA)
  • Debugging And Monitoring (AREA)
EP83305482A 1982-09-21 1983-09-19 Wiederinbetriebnahme eines Fernprozessors nach dessem Ausfall Withdrawn EP0104858A3 (de)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US06/420,965 US4589090A (en) 1982-09-21 1982-09-21 Remote processor crash recovery
US420965 1999-10-20

Publications (2)

Publication Number Publication Date
EP0104858A2 true EP0104858A2 (de) 1984-04-04
EP0104858A3 EP0104858A3 (de) 1987-01-21

Family

ID=23668610

Family Applications (1)

Application Number Title Priority Date Filing Date
EP83305482A Withdrawn EP0104858A3 (de) 1982-09-21 1983-09-19 Wiederinbetriebnahme eines Fernprozessors nach dessem Ausfall

Country Status (5)

Country Link
US (1) US4589090A (de)
EP (1) EP0104858A3 (de)
JP (1) JPS5972556A (de)
CA (1) CA1213306A (de)
ES (1) ES525389A0 (de)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0180988A2 (de) * 1984-11-08 1986-05-14 Canon Kabushiki Kaisha Bildgestaltungssteuerungssystem
EP0199273A2 (de) * 1985-04-16 1986-10-29 Minolta Camera Kabushiki Kaisha Dokumentverarbeitungsgerät
AU637227B2 (en) * 1990-04-13 1993-05-20 Fujitsu Limited Method of resetting adapter module at failing time and computer system

Families Citing this family (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4837683A (en) * 1985-10-21 1989-06-06 The United States Of America As Represented By The Secretary Of The Air Force Hidden fault bit apparatus for a self-organizing digital processor system
US5079740A (en) * 1987-01-12 1992-01-07 Ncr Corporation System and method of providing an automatic back-up primary terminal for a cluster of secondary terminals
US4873631A (en) * 1988-04-25 1989-10-10 Ncr Corporation Point of sale automatic back-up system and method
US5023817A (en) * 1989-03-06 1991-06-11 Xerox Corporation Jam history and diagnostics
US5251227A (en) * 1989-08-01 1993-10-05 Digital Equipment Corporation Targeted resets in a data processor including a trace memory to store transactions
US4951069A (en) * 1989-10-30 1990-08-21 Xerox Corporation Minimization of communication failure impacts
JP3098584B2 (ja) * 1990-09-28 2000-10-16 ゼロックス コーポレイション 電子複写システムにおける障害除去及び回復方法及び装置
US5307354A (en) * 1991-05-31 1994-04-26 International Business Machines Corporation Method and apparatus for remote maintenance and error recovery in distributed data processing networks
US5679985A (en) * 1992-09-23 1997-10-21 International Business Machines Corporation Power supply with automatic recovery system
US5758185A (en) * 1992-10-01 1998-05-26 Hudson Soft Co. Ltd. Method for resetting a system controlled by a CPU and having a semi-autonomous IC unit
US5390324A (en) * 1992-10-02 1995-02-14 Compaq Computer Corporation Computer failure recovery and alert system
JPH06274354A (ja) * 1993-03-12 1994-09-30 Internatl Business Mach Corp <Ibm> 破壊的なハードウェア動作を制御する方法及びシステム
US5835953A (en) * 1994-10-13 1998-11-10 Vinca Corporation Backup system that takes a snapshot of the locations in a mass storage device that has been identified for updating prior to updating
US5649152A (en) * 1994-10-13 1997-07-15 Vinca Corporation Method and system for providing a static snapshot of data stored on a mass storage system
US5791790A (en) * 1996-03-13 1998-08-11 Lexmark International, Inc. Method and apparatus for providing print job buffering for a printer on a fast data path
CA2258798C (en) 1996-06-18 2009-12-22 Ontrack Data International, Inc. Apparatus and method for remote data recovery
GB2328578A (en) * 1997-08-22 1999-02-24 Motion Media Techn Ltd Automatic reset of remote video surveillance system
US6948092B2 (en) * 1998-12-10 2005-09-20 Hewlett-Packard Development Company, L.P. System recovery from errors for processor and associated components
US6662310B2 (en) 1999-11-10 2003-12-09 Symantec Corporation Methods for automatically locating url-containing or other data-containing windows in frozen browser or other application program, saving contents, and relaunching application program with link to saved data
US6630946B2 (en) 1999-11-10 2003-10-07 Symantec Corporation Methods for automatically locating data-containing windows in frozen applications program and saving contents
US6631480B2 (en) 1999-11-10 2003-10-07 Symantec Corporation Methods and systems for protecting data from potential corruption by a crashed computer program
JP3660182B2 (ja) * 1999-12-03 2005-06-15 株式会社リコー 画像処理装置
US6691250B1 (en) * 2000-06-29 2004-02-10 Cisco Technology, Inc. Fault handling process for enabling recovery, diagnosis, and self-testing of computer systems
US20040141461A1 (en) * 2003-01-22 2004-07-22 Zimmer Vincent J. Remote reset using a one-time pad
WO2009040879A1 (ja) * 2007-09-25 2009-04-02 Fujitsu Limited 情報処理装置及び制御方法
US20110029971A1 (en) * 2009-07-30 2011-02-03 Fujitsu Limited Information processing apparatus, image processing method and computer program

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3478324A (en) * 1966-08-02 1969-11-11 Gen Electric Data processing system including means for detecting illegal actions and generating codes in response thereto
US4263650A (en) * 1974-10-30 1981-04-21 Motorola, Inc. Digital data processing system with interface adaptor having programmable, monitorable control register therein
US4338023A (en) * 1980-01-28 1982-07-06 Xerox Corporation Job recovery hierarchy in a reproduction machine
JPS57113169A (en) * 1980-12-29 1982-07-14 Fujitsu Ltd Microcomputer

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB1310664A (en) * 1971-01-28 1973-03-21 Ibm Data handling systems
JPS5932822B2 (ja) * 1976-12-02 1984-08-11 株式会社日立製作所 多重化デイジタル制御装置
US4151590A (en) * 1977-11-15 1979-04-24 Hokushin Electric Works, Ltd. Process control system
US4206996A (en) * 1978-05-05 1980-06-10 International Business Machines Corporation Job recovery method and apparatus
US4321666A (en) * 1980-02-05 1982-03-23 The Bendix Corporation Fault handler for a multiple computer system
JPS6053339B2 (ja) * 1980-10-09 1985-11-25 日本電気株式会社 論理装置のエラ−回復方式

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3478324A (en) * 1966-08-02 1969-11-11 Gen Electric Data processing system including means for detecting illegal actions and generating codes in response thereto
US4263650A (en) * 1974-10-30 1981-04-21 Motorola, Inc. Digital data processing system with interface adaptor having programmable, monitorable control register therein
US4263650B1 (en) * 1974-10-30 1994-11-29 Motorola Inc Digital data processing system with interface adaptor having programmable monitorable control register therein
US4338023A (en) * 1980-01-28 1982-07-06 Xerox Corporation Job recovery hierarchy in a reproduction machine
JPS57113169A (en) * 1980-12-29 1982-07-14 Fujitsu Ltd Microcomputer

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
IBM TECHNICAL DISCLOSURE BULLETIN, vol. 21, no. 10, March 1979, pages 3935,3936, New York, US; R.E. KUSESKI et al.: "Dynamic reconfiguration in copier/printers" *
PATENTS ABSTRACTS OF JAPAN, vol. 6, no. 206 (P-149)[1084], 19th October 1982; & JP-A-57 113 169 (FUJITSU K.K.) 14-07-1982 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0180988A2 (de) * 1984-11-08 1986-05-14 Canon Kabushiki Kaisha Bildgestaltungssteuerungssystem
EP0180988A3 (en) * 1984-11-08 1988-10-05 Canon Kabushiki Kaisha System for controlling image formation system for controlling image formation
US4980814A (en) * 1984-11-08 1990-12-25 Canon Kabushiki Kaisha System for controlling image formation
EP0199273A2 (de) * 1985-04-16 1986-10-29 Minolta Camera Kabushiki Kaisha Dokumentverarbeitungsgerät
EP0199273A3 (de) * 1985-04-16 1989-01-18 Minolta Camera Kabushiki Kaisha Dokumentverarbeitungsgerät
AU637227B2 (en) * 1990-04-13 1993-05-20 Fujitsu Limited Method of resetting adapter module at failing time and computer system

Also Published As

Publication number Publication date
CA1213306A (en) 1986-10-28
US4589090A (en) 1986-05-13
JPS5972556A (ja) 1984-04-24
ES8502559A1 (es) 1985-01-01
EP0104858A3 (de) 1987-01-21
ES525389A0 (es) 1985-01-01

Similar Documents

Publication Publication Date Title
EP0104090B2 (de) Kopiermaschinenkontrollsystem mit Wiedergewinnung von Kopien
US4589090A (en) Remote processor crash recovery
US4514846A (en) Control fault detection for machine recovery and diagnostics prior to malfunction
EP0104886B1 (de) Fehlereingrenzung in verteiltem Datenverarbeitungsbetrieb
EP0113164B1 (de) Steuerstörungsfeststellvorrichtung für ein Vervielfältigungsgerät
US4499581A (en) Self testing system for reproduction machine
JP2701846B2 (ja) 複写機
US4580232A (en) Single point microprocessor reset
US3588472A (en) Logic control apparatus
US4163897A (en) Automatic copy recovery
CA1075756A (en) Programmable controller for controlling reproduction machines
US4496237A (en) Consumable status display
CA1192599A (en) Directive diagnostics
EP0103850A2 (de) Gesonderte Rücksetzung von Prozessoren in einer Multiprozessorssteuerung
US4691317A (en) Feature deselect control
US4951069A (en) Minimization of communication failure impacts
KR940005166B1 (ko) 전자복사기의 이상상태 진단방법
JPS6290668A (ja) 複写機の異常原因記憶装置
JPH06305599A (ja) 画像形成装置
JPS6167052A (ja) 複写機の異常状態診断方法
JPS5936264A (ja) 複写機
JPH0490563A (ja) 複写制御装置
NL8400222A (nl) Afdrukinrichting.
JPS5880668A (ja) 紙送り制御装置
JPH0291737A (ja) 制御装置の暴走監視制御方法

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Designated state(s): DE FR GB IT

PUAL Search report despatched

Free format text: ORIGINAL CODE: 0009013

AK Designated contracting states

Kind code of ref document: A3

Designated state(s): DE FR GB IT

17P Request for examination filed

Effective date: 19870702

17Q First examination report despatched

Effective date: 19880322

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 19890617

RIN1 Information on inventor provided before grant (corrected)

Inventor name: FEDERICO, ANTHONY MICHAEL

Inventor name: EDMUNDS, MICHAEL EDSON

Inventor name: HUSTED, RAYMOND ROBB

Inventor name: ZIEHM, RICHARD T.

Inventor name: WILCZEK, STEPHEN P.

Inventor name: DOWNING, CURTIS BURTON